Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
53 lines (38 sloc) 2.93 KB


Sandboxing makes phishing / infection hard. If a target can hand off your payload to a third party to "Detonate", how can you get them to run your payload?! Simple: by handing sandboxes innocuous payloads to detonate.

This is done via some User-Agent matching, pulling networks advertised by ASNs of known sandbox companies, and "MISC" sources that were found from previous real-world phishing attempts. The original idea came up during some phishing campaigns a while ago, later someone pointed me to @curi0usJack's htaccess file which provided the user-agents.

Thanks to @curi0usJack for some data source/info, and thanks to @imoorhouse904 for testing and data to add!

TLDR; edit DESTINATION to point to benign version of payload, put output into .htaccess, hopefully enjoy phishing again!

Apache Config

Make sure your apache configs AllowOverride, so the htaccess will work. Example:

   <Directory "/var/www/html/test">
      Options Indexes FollowSymLinks
      AllowOverride All

If you need to debug how it is matching, add "LogLevel alert rewrite:trace6" to your main configuration -- but keep in mind that each connection attempt will log EACH regex to your logs. This can fill logs/drives quickly if alot of attempts occur!

mkhtaccess_red Config

Simply edit a few variables within the program, all at the top:

WORKINGFILE=/tmp/redhtaccess ; this will be the final file, you can leave this
TMPFILE=/tmp/tmptargets ; temp working file, you can leave this
JACKTMP=/tmp/jacktmp ; temp working file for curi0usJack's file, you can leave this
CURLOPTIONS="--connect-timeout 10" ; add additional curl options here, such as proxies, you can leave this
DESTINATION="" ; this is where to redirect sandboxes -- make it look as similar to the original as possible, but make it redirect to a clean (malware-free) version of your payload!

Adding Useragents / ASNs / Misc networks to mkaccess_red

Similar to the section above, all ASN/useragent/misc configs are kept internal to keep the file portable/easy to deal with.


Simply add additional regexs to match agents inside of this variable, example:

   AGENTS="^.*cloudfront.*$ ^curl.*$ ^Python-urllib.*$ ^Wget.*$ ^Lynx.*$ ^Slackbot-LinkExpanding.*$"


Add additional ASNs to this variable in the form of CompanyName_ASN#, example:

   ASNS="zScaler_AS22616 DigitalOcean_AS46652 ForcePoint_AS13448 CiscoMeraki_AS395831"

Misc Nets/Addresses:

Add additional lines per "misc" source, starting with a "#" ! Add in the form of:

   #MISC- in phish
   #MISC- seen in previous phish
You can’t perform that action at this time.